In an enterprise network, event logs from individual computers can be a valuable data resource to detect malicious activity. Most modern operating systems can record computer events. These events can be collected for a wide range of activities occurring within the network, providing a rich data source. The events can include authentication activity of user credentials in the network, as well as process and application data generated on each computer. There are many rule-based approaches to detecting security incidents, but little is currently done with statistical modeling of event logs for anomaly detection.
One important research problem associated with this data is identifying user credential theft or misuse. After the initial compromise of a computer, in order for adversaries to move through the network, they typically need to gain access to user credentials. Currently, this is surprisingly simple. For instance, an attacker can relatively easily obtain and reuse credentials in a network via “pass-the-hash” or “pass-the-ticket” attacks. “Single sign-on” is prevalent in most Microsoft™ network domains and is meant to improve user experience and prevent users from repeatedly typing in their password. However, this means that attackers can recover credentials and passwords stored in memory on the computer. Typically, attackers will continue to steal credentials so that they can escalate their privileges within the network, depending on their ultimate goal.
Another scenario of interest is the misuse of genuine credentials. In light of recent events, such as the exfiltration of highly classified documents from the U.S. National Security Agency (NSA) by Edward Snowden and the many insider trading occurrences within the financial industry, identifying credential misuse has become increasingly important to both government and industry. Accordingly, an improved approach to cybersecurity may be beneficial.